Ed Skoudis lists the Top 5 Worst Attacks of 1998 - 2002
June 10, 2008
That which does not kill us makes us stronger.
-Friedrich Nietzsche
In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.
Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.
1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.
2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.
While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.
Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.
Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.
3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.
4. Distributed Denial-of-Service (DdoS) attacks (2000). After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.
5. Remote Control Trojan Horse Backdoors (1998 – 2000). In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.
Popularity: 2% [?]
Phlash Dance: phlashing
June 9, 2008
Phlashing allows you to damage hardware over the Internet. This is something new and consists of flashing, as in changing the firmware, or computer code in chips on your motherboard, controller cards or other hardware. Since more modern systems allow flashing firmware over a network for quick updates, this is now an exploitable vulnerability. Previously, you had to “flash” those computer chips from the machine that contained them.
There are security features in hardware to prevent this kind of vandalism, but unfortunately some flaws enable hackers to flash destructively. Phlashing code has already been developed by security researchers and hackers. Phlashing attacks are not easy and will likely not be common, however its a possible glimpse of the coming storm of weapons of cyber destruction.
“Phlashing” attacks could render network hardware useless
Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP’s Systems Security Lab, has identified a potential security flaw within a network’s physical hardware rather than a typical desktop or server system. Smith’s report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as “phlashing.” - more at Arstechnica
Popularity: 2% [?]
security vs. liberty
March 10, 2008
“He who sacrifices freedom for security deserves neither.” - Ben Franklin
Security is important, but it should be done in wisdom not only fear and paranoia lest we forsake everything we seek to protect.
The military is a good example of security versus liberty.
A U.S. military installation is one of the most secure places you can be in. Depending on the resources therein, there can be fencing around the installation, mobile forces, and only a few active entry points. Entry points are controlled by armed guards, barriers, and sometimes even machine guns and “man traps”. Only authorized personnel may enter and even “authorized personnel” can only enter certain areas once on the base. The installation is controlled by the base commander whose laws are MUCH more strict on the base. Entering the base means you give up things like the right to protest. You can be searched at anytime and you can be shot for going certain places… such as the flightline. All in all, it is the safest place to be in the event of civil unrest off base because on base there are law enforcement, security forces, and back up ready reserve forces capable or mobilizing in a matter of minutes.
All the security, with very, very controlled liberties. Such a controlled environment requires very controlled personnel.
This is why as a security professional I understand what it means to have more security and lose liberties. Although many Americans are willing to give up some liberties for more National Security, I fear that most don’t really realize how much they are really giving up. Perhaps the bigest loss is privacy and in this day and age personal data has become our most valuable asset. No one is going to protect it like you. Certainly not the government. It is such a large entity that it can only summarize you and your family into numbers, statistics.
U.S. servicemen and women are numbers and statistics to the federal government. They are (to some extent) owned by the federal government while serving under oath. Their dedication includes their life, if service calls for it. They service is no trivial event. All the more reason liberty must be preserved… to honor the sacrifices of a few. True American patriotism is the preservation of every remaining freedom at any cost.
Popularity: 4% [?]
Snuggly, the Cuddly Security Bear
September 4, 2007
Popularity: 2% [?]
How I got into Security
June 13, 2007
Martin McKeay over at the Network Security Blog asks “How did you get into Security?” That is a good question. Its something that I’ve been asked and what I like to ask others in the business.
Up until recently, I’ve done security my entire adult life very reluctantly. I started off in the military as Security Policemen (now called security forces). I was a security specialist and was groomed into law enforcement. The description sounded like special forces. And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do. Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).
I had about five years learning every aspect of physical security. I later “cross trained” into communications expecting to do some hardcore technical stuff. And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything. My experience in the military made it easier for me to pass the CISSP which covers a little of everything.
These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations.
Popularity: 5% [?]
17-year-old accused of hacking into school computers
January 24, 2007
“JEFFERSON COUNTY – A 17-year-old student at Golden High School has been arrested after police say he hacked into the school’s computer system and changed grades.
Police say charges could include forgery, computer crime and use of forged academic records.
Police believe the student hacked into the campus portal system, which is meant to give parents access to grades, schedules and attendance records.”
Everytime I hear about a kid trying to hack the school records I am reminded of Ferris Bueller’s Day off.
Popularity: 3% [?]
There is no such thing as Security
October 18, 2006
I’ve noticed that there are two types of security people: anal “type A personalities” who live every moment by the rules, and those that realize that there is no real security. Please understand that these two mindset don’t seem to have anything to do with talent. I’ve met talented people with both mindset. A talented security professional is mindful, aware, and always pays attention to detail. The very best seem almost psychic in their ability to spot wrong doing, security breaches and even malicious intent.
Type A security people seem to thrive on “catching bad guys”. Its like they are kids playing cops & robbers. These people thrive on structure, order and regulations. In information security they know how important it is to have lots of centralized control and a stardard configuration for all systems. In the Meyers-Brigg’s personality test, these people are ESTJ’s (Extraverted Sensing Thinking Judging). The thought of any getting away with breaking the law (ANY LAW) is unacceptable. These guys make great Directors of Security, CSO’s and other policy creators as long as they don’t micromanage their people. Their employees will either love them as a great mentor or hate them with every fiber of their being.
Those who realize that there is no such thing as security are hackers. They are many times INFP’s (Introverted iNtuitive Feeling Perceptive). Unlike the ESTJ’s they don’t care about structure and rules because the realize that rules are only suggestion to keep an acceptable level or order. For them the most important rules are in a persons heart. ESTJs will usually see these people as lazy and don’t really care but these people are just trying to find an easier way to do things. If they don’t enforce certain rules or cut corners, it because the sincerely believe that the rule or enforcement (in that particular situation) is not needed. Employees will usually love INFP’s unless they happen to be ESTJ’s.
I am a bit biased because I am in the second camp, INFP. I don’t believe there is a such thing as “security”. No one is ever completely safe. All a malicious intending person needs is the element of surprise, time, and pressure an they can get away with anything they want. Further, anyone at anytime can have malicious intent: employees, kids, bosses, friends, family not just random strangers.
Security is just an illusion. The one good thing security does is ensure you are faster than the slowest person, organization, network or whatever on the block. Those with malicious intent will typically go for the easiest target.
Since many crime happen from people that the victims know all we can really do is not worry about it. Life is too short to waste too much time fretting about every possible thing that can happen to you.
I guess that is what Ben Franklin meant when he said:
“Those Who Sacrifice Liberty For Security Deserve Neither”
If you worry so much about security that you can’t enjoy the fruits of your labor, then what is the point of the living and if you can’t enjoy living whats the point of protecting ANYTHING. - elamb
Popularity: 4% [?]
Information Security Gurus: Say Goodbye Mr. Network Geek
September 15, 2006
“Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining”
The “wave of change” keeps me employed, but I must agree with Karn at Security-Guru.blogspot. There is a lot of times that I’m just playing “wack a mole” with security problems. The root of the problem needs to be taken care of.
There is a movement of more proactive security instead of the old losing reactive security:
- At Defcon Rick Wesson of Support Intelligence, LLC introduced a method of tracking botnets, and black listed malware server globally and in real-time.
- Microsoft is heading up a proactive security project called Strider HoneyMonkey Exploit Detector. It is a kind of active honeypot that follows the links of malicious sites to find new exploits.
Popularity: 3% [?]
Security Forums Directory
July 21, 2006
Easily locate forums and newsgroups related to security. Why isn’t elamb.org on there? Oh, well.
Popularity: 4% [?]
Security Geek Fired By Suits: For Doing His Job?
July 21, 2006
“A security geek is fired by executive management after the company is broken into by thieves and lose nearly $100k in equipment. The security geek had previously recommended safety measures that would have presented this, but they were shot down by those same executives! Who should have been fired in this story?”
Looks like they used this security guy as a scape goat to protect their own asses. Doesn’t documentation mean anything?! Ultimately, it is that company that will suffer from keeping incompetent and untrustworthy people (if that is the case.)
Popularity: 2% [?]
